Abstract:

Distributed Role-Based Access Control (dRBAC) is a scalable,
decentralized trust-management and access-control mechanism for
systems that span multiple administrative domains. dRBAC represents
controlled actions in terms of roles, which are defined within
the trust domain of one entity and can be transitively delegated to
other roles within a different trust domain. dRBAC utilizes PKI to
identify all entities engaged in trust-sensitive operations and to
validate delegation certificates. The mapping of roles to authorized
name spaces obviates the need to identify additional policy roots.
dRBAC distinguishes itself from previous trust management and
role-based access control approaches in its support for three
features: (1) third-party delegations, which improve
expressiveness by allowing an entity to delegate roles outside its
namespace when authorized by an explicit delegation of
assignment; (2) valued attributes, which modulate transferred
access rights via mechanisms that assign and manipulate numerical
values associated with roles; and (3) credential subscriptions,
which enable continuous monitoring of established trust relationships
using a pub/sub infrastructure to track the status of revocable
credentials.
This paper describes the dRBAC model, its scalable implementation using
a graph-based model of credential discovery and validation, and its
application in a larger security context.